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Abstract 

This paper describes five loss of control accidents involving 
commercial aircraft, and derives from those accidents three 
principles to consider when developing a potential safety case 
for an advanced flight control system for commercial aircraft. 
One, among the foundational evidence needed to support a 
safety case is the availability to the control system of accurate 
and timely information about the status and health of relevant 
systems and components. Two, an essential argument to be 
sustained in the safety case is that pilots are provided with 
adequate information about the control system to enable them 
to understand the capabilities that it provides. Three, another 
essential argument is that the advanced control system will 
not perform less safely than a good pilot. 

1 Introduction 

Research is currently being planned and conducted to develop 
advanced flight control techniques and systems for 
commercial aircraft. A primary goal of some of this research 
is to improve aviation safety by providing means for ensuring 
safe flight and landing in the presence of adverse conditions 
such as environmentally induced upsets and actuator or sensor 
failures [7], 

Before any of the techniques or systems envisioned by 
researchers will be permitted on commercial aircraft, 
convincing arguments for the safety of these techniques and 
systems will have to be developed and sustained. A safety 
case approach to creating these arguments for advanced flight 
control systems — that is, an approach in which the safety 
goals, arguments, and evidence are presented explicitly and 
carefully linked together — is the subject of current research. 
A primary goal of this research is to develop techniques to 
document and explain thoroughly why a particular design and 
implementation is considered to be acceptably safe to use 
within a specified operating environment. 

Many details of a specific safety case will depend on the 
particular advanced flight control techniques or systems used; 
however, every safety case will likely have to address some 
common concerns. In this paper, we posit three such possible 


common concerns, based on a review of five commercial 
aviation accidents in the United States that involved loss of 
control of the aircraft. 

The remainder of this paper follows a simple structure. In 
section 2, we describe the five accidents. In section 3, we 
posit that these five accidents suggest three principles that 
should be considered in developing a safety case for any 
advanced flight control system. We give brief concluding 
remarks and suggestions for future work in section 4. 

2 The Accidents 

In this section, we describe each of the following accidents: 
(1) The in-flight loss of hydraulics and subsequent crash on 
landing of United Flight 232 on July 19, 1989; (2) The 
uncontrolled descent and collision with terrain of USAir 
Flight 427 on September 8, 1994; (3) The loss of control and 
impact with the Pacific Ocean of Alaska Airlines Flight 261 
on January 31, 2000; (4) The in-flight separation of the 
vertical stabilizer of American Airlines Flight 587 in 
November 12, 2001; and (5) The loss of pitch control during 
takeoff of Air Midwest Flight 5481 on January 8, 2003. We 
chose these five accidents because they are among the worst 
loss of control accidents during the last two decades. 

The infonnation for each description below is taken from the 
referenced report from the US National Transportation Safety 
Board (NTSB), which for the purposes of this paper we 
consider to be fully authoritative and accurate. The 
descriptions below are necessarily short, with many details 
left out. Interested readers are encouraged to read the full 
accident reports, for reasons we have explained elsewhere [5], 

2.1 United Flight 232 (1989) 

United Airlines flight 232 was a scheduled passenger flight 
from Denver, Colorado, to Philadelphia, Pennsylvania, with a 
stop at Chicago, Illinois. The aircraft employed for the flight 
was a McDonnell Douglas DC- 10- 10. On July 19, 1989, 
Flight 232 left Denver’s Stapleton International Airport a few 
minutes after 2 p.m. with 285 passengers and 1 1 crew 
members on board [8], 



The first hour of the flight was uneventful, but about 67 
minutes after takeoff, as the plane was flying at about 37,000 
feet with autopilot and autothrottles engaged, a loud bang was 
heard coming from the rear of aircraft; the noise was followed 
by a vibrating and shuddering of the plane. Instruments 
showed that the tail-mounted engine (denoted as engine #2) 
had failed, and that the normal hydraulic system pressure and 
quantity was zero. The airplane did not respond to flight 
control inputs by either the first officer or the captain. 
Attempts by the flight crew to restore hydraulic pressure by 
using an auxiliary hydraulic pump were unsuccessful. 

About 6 minutes after the initial bang, the flight crew radioed 
the nearest Air Route Traffic Control Center, asking for 
emergency assistance and vectors to the nearest airport. After 
some discussion, the controller suggested going to Sioux 
Gateway Airport, Sioux City, Iowa, which was in the general 
direction in which the flight was headed. The flight crew 
accepted this suggestion. 

When the flight attendants began preparing the cabin for an 
emergency landing, a United Airlines DC-10 training check 
airman identified himself and volunteered his help. On being 
told about the volunteer, the captain invited the check airman 
to the cockpit, and asked him to return to the passenger cabin 
to look at the wings. This inspection revealed that the 
control surfaces were not moving, the inboard ailerons were 
slightly up, and the spoilers were locked down. 

When the check airman returned to the cockpit with his 
report, the captain gave him the job of controlling the throttles 
while the captain and first officer attempted to manipulate the 
flight controls. The check airman tried to control the 
airplane’s pitch and roll by varying the engine power on the 
two underwing engines. He continually had to counter the 
tendency of the airplane to turn right. 

The flight crew made visual contact with the airport about 9 
miles out. Air traffic control had intended for the flight to 
attempt to land on the longest of the airport’s runways 
(runway 31); however, because the airplane was generally 
headed on the approach to runway 22, and because the crew 
had great difficulty in making any left hand turns, the captain 
elected to continue to attempt to land on runway 22. Without 
hydraulic pressure, the flaps and slats remained retracted, and 
the airspeed remained high. 

Oscillations in pitch and roll remained smooth until just 
before touchdown. At about 100 feet above the runway, the 
right wing dropped rapidly and the nose of the airplane 
pitched downward. The airplane touched down on the 
runway threshold slightly to the left of the centerline. The 
right wingtip made first contact with the ground, followed by 
the right main landing gear. According to witnesses, the 
airplane caught fire and cartwheeled to the right before 
eventually coming to rest. 185 people survived the crash, 
although one of the initial survivors died 31 days after the 
accident. 


The NTSB determined “that the probable cause of this 
accident was the inadequate consideration given to human 
factors limitations in the inspection and quality control 
procedures used by United Airlines’ engine overhaul facility 
which resulted in the failure to detect a fatigue crack 
originating from a previously undetected metallurgical defect 
located in a critical area of the stage 1 fan disk that was 
manufactured by General Electric Aircraft Engines. The 
subsequent catastrophic disintegration of the disk resulted in 
the liberation of debris in a pattern of distribution and with 
energy levels that exceeded the level of protection provided 
by design features of the hydraulic systems that operate the 
DC-10's flight controls.” 

A specific finding from the investigation relevant to the 
purposes of this paper is finding 6: “The airplane was 
marginally flyable using asymmetrical thrust from engines 
No. 1 and 3 after the loss of all conventional flight control 
systems; however, a safe landing was virtually impossible.” 
This finding was supported by a series of flight simulator 
studies, in which a DC- 10 simulator was programmed to 
behave as the accident airplane behaved. DC- 10 rated pilots 
flew the simulator. These pilots were unable to control the 
pitch oscillations with any precision; nor were they able to 
directly control the airspeed. As a result landing safely was 
“a highly random event.” The accident report includes praise 
for the flight crew: “The Safety Board believes that under the 
circumstances the UAL flight crew performance was highly 
commendable and greatly exceeded reasonable expectations.” 

2.2 USAir Flight 427 (1994) 

USAir 1 flight 427 was a scheduled passenger flight from 
Chicago, Illinois, to Pittsburgh, Pennsylvania, operated using 
a Boeing 737-300 airplane. Aboard the aircraft when it 
departed Chicago about 6:10 p.m. on September 8, 1994, 
were 2 pilots, 3 flight attendants, and 127 passengers. The 
expected enroute flight time to Pittsburgh was 55 minutes [9]. 

The flight was uneventful until after it initiated the descent 
and approach to the Pittsburgh airport. At about 7:03 p.m., 
while flying at about 190 knots at 6000 feet, the airplane’s left 
bank steepened from less than 8° to more than 20°. The left 
roll rate was arrested briefly, moving to about 15°. Sounds on 
the Cockpit Voice Recorder (CVR) suggested that the flight 
crew were struggling to control the aircraft. 

After only about a second, the left roll rate increased again, 
and the aircraft’s heading moved rapidly leftward also. As 
the left bank angle increased to about 43°, the airplane began 
to descend below its assigned 6000 feet altitude and the 
airspeed dropped below 190 knots. The CVR recorded the 
sound of the autopilot disconnect horn, and during the next 5 
seconds, the flight data recorder (FDR) recorded decreasing 
altitude, decreasing airspeed, increasing left roll, and aft 


1 The airline changed its name to US Airways in 1996, but its 
name at the time of the accident is used here, as it was in the 
NTSB report. 



control column input. During this time the CVR recorded 
sounds similar to stall buffet onset, the aircraft stickshaker 
activitation, and exclamations from the crew. 

About 23 seconds past 7:03 p.m., the airplane crashed into 
hilly, wooded ground about 6 miles northwest of the airport, 
in Aliquippa, Pennsylvania. All 132 people aboard the flight 
were killed, and the airplane was destroyed. 

The NTSB’s investigation 2 into the accident took almost 5 
years, with the final board meeting occurring in March, 1999. 
The board concluded that “the probable cause of the USAir 
flight 427 accident was a loss of control of the airplane 
resulting from the movement of the rudder surface to its 
blowdown limit. The rudder surface most likely deflected in a 
direction opposite to that commanded by the pilots as a result 
of a jam of the main rudder power control unit servo valve 
secondary slide to the servo valve housing offset from its 
neutral position and overtravel of the primary slide.” 

As a result of its investigation into this accident, the NTSB 
also came to conclude that the 1991 crash of United Airlines 
flight 585 in Colorado Springs, Colorado, had the same 
probable cause. The original investigation into that crash had 
been unable to determine a probable cause [10]. 

For this paper, relevant findings from the investigations 
include finding 12 (“The flight crew of USAir flight 427 
recognized the initial upset in a timely manner and took 
immediate action to attempt a recovery but did not 
successfully regain control of the airplane”), finding 13 (“The 
flight crew of USAir flight 427 could not be expected to have 
assessed the flight control problem and then devised and 
executed the appropriate recovery procedure for a rudder 
reversal under the circumstances of the flight”), findings 16 
and 17 (which are identical to 12 and 13 but for United flight 
585), and finding 18 (“Training and piloting techniques 
developed as a result of the USAir flight 427 accident show 
that it is possible to counteract an uncommanded deflection of 
the rudder in most regions of the flight envelope; such 
training was not yet developed and available to the flight 
crews of USAir flight 427 or United flight 585”). 

2.3 Alaska Airlines Flight 261 (2000) 

Alaska Airlines flight 261 was a scheduled international 
passenger flight from Puerto Vallarta, Mexico, to Seattle, 
Washington, with a stop planned in San Francisco, California. 
The flight departed Puerto Vallarta at a few minutes past 1:30 
p.m. with 2 pilots, 3 flight attendants, and 83 passengers on 
board the McDonnell Douglas MD-83 aircraft [11], 

According to the data recorded on the airplane’s FDR, the 
flight proceeded normally through take-off (flown manually 
by the first officer) and initial climb (flown by the autopilot). 
As the airplane climbed through about 23,400 feet, the 


2 Details about the investigation itself are described in two 
books written on the subject [1, 3]. 


horizontal stabilizer ceased moving nonnally, and remained at 
the 0.4° airplane nose down (AND) position for the next 2 
hours and 20 minutes of the flight. During this period, the 
flight crew contacted Alaska Airlines’ maintenance and 
dispatch facility in Seattle to discuss a possible diversion to 
Los Angeles International Airport (LAX) because of a 
jammed horizontal stabilizer. After some discussion, the 
captain made the decision to head for LAX, and began 
conversations with Alaska Airlines’ maintenance personnel 
there about the jammed stabilizer. The flight crew also tried 
various procedures to further diagnose or correct the problem. 

The FDR data indicated that the autopilot was switched off at 
about 4:09 p.m., and about 3-4 seconds afterwards the 
horizontal stabilizer moved from its jammed position of 0.4° 
AND to 2.5° AND (slightly beyond the normal maximum 
AND position). As a result, the airplane pitched downward 
and dove for about 80 seconds from about 31,050 feet to 
between 23,000 and 24,000 feet. The flight crew eventually 
arrested the dive, using an estimated pulling force of between 
130-140 pounds to do so. 

About 8 minutes later, as the flight crew extended the slats 
and flaps in initial preparation to attempt to land at LAX, the 
CVR recorded “an extremely loud noise” and increased 
background noise, and the FDR recorded a maximum nose- 
down pitch rate of 25° per second. Within a few seconds, the 
airplane was inverted and rapidly losing altitude. It struck the 
Pacific Ocean about 2.7 miles north of Anacapa Island, 
California. Everyone aboard was killed, and the airplane was 
destroyed by the impact forces. 

The NTSB determined “that the probable cause of this 
accident was a loss of airplane pitch control resulting from the 
in-flight failure of the horizontal stabilizer trim system 
jackscrew assembly's acme nut threads. The thread failure 
was caused by excessive wear resulting from Alaska Airlines’ 
insufficient lubrication of the jackscrew assembly.” Several 
factors contributing to the accident were also identified. 

Several specific findings from the investigation are relevant to 
this paper. Finding 9 notes, among other things, that “The 
pilots recognized that the longitudinal trim control system 
was jammed, but neither they nor the Alaska Airlines 
maintenance personnel could determine the cause of the jam.” 
The non-recoverability of the airplane is noted in finding 13 
and attributed to “an excessive upward aerodynamic tail load, 
which caused an uncontrollable downward pitching of the 
airplane.” 

Finding 17 states that “The flight crew’s use of the autopilot 
while the horizontal stabilizer was jammed was not 
appropriate”. Finally, the difficulty of the situation faced by 
these pilots, and its applicability to other pilots in similar 
situations is stated in finding 19 as follows: “Without clearer 
guidance to flight crews regarding which actions are 
appropriate and which are inappropriate in the event of an 
inoperative or malfunctioning flight control system, pilots 
may experiment with improvised troubleshooting measures 



that could inadvertently worsen the condition of a controllable 
airplane.” 

2.4 American Airlines Flight 587 (2001) 

American Airlines flight 587 was a scheduled international 
passenger flight from New York to Santo Domingo, 
Dominican Republic. The flight left its gate area at John F. 
Kennedy International Airport (JFK) at about 9 a.m. on 
November 12, 2001; 251 passengers, 7 flight attendants, and 
2 pilots were aboard the Airbus Industries A300-605R. The 
flight began its takeoff roll about 14 minutes later, with the 
first officer serving as the flying pilot. The airplane took off 
normally and began its climb following a standard departure 
that took it on a left hand turn out of the area [13]. 

At about 9:15:36, FDR data indicated G force changes 
consistent with a wake turbulence encounter. This wake 
turbulence was coming from a Japan Air Lines 747, which 
had taken off from JFK a couple of minutes earlier, and was 
flying a flight path that provided the required vertical and 
horizontal separation from flight 587. Between 9:15:36 and 
9:15:41 the FDR recorded movements of the control column, 
control wheel, and rudder pedals, which resulted in recovery 
from the wake encounter. The CVR recorded a brief 
conversation between the first officer and the captain about 
the encounter. 

At about 9:15:51 data from the FDR indicated a second wake 
turbulence encounter. The FDR also indicated that between 
9:15:52 and 9:15:58.5 the rudder pedals moved from 1.7 
inches right to 1.7 inches left, back to 1.7 inches right, to 2.0 
inches right, back to 2.4 inches left, and then 1.3 inches right. 
The control wheel moved 64° to the right, then 78° to the left 
(which is as far as it could go), back to 64° to the right and 
then to 78° to the left. The NTSB’s airplane performance 
study indicated that the right rear main attachment fitting for 
the vertical stabilizer fractured at 9:15:58.4, and the stabilizer 
separated from the airplane afterwards. 

The plane crashed into the residential area of Belle Harbor. 
All 260 people aboard the flight, and 5 people on the ground 
were killed. The aircraft was destroyed. The vertical 
stabilizer and rudder were found in Jamaica Bay, about 1 mile 
north of the main crash site. The engines had also separated 
in flight; they were found several blocks to the north and east 
of the main site. 

The NTSB determined “that the probable cause of this 
accident was the in-flight separation of the vertical stabilizer 
as a result of the loads beyond ultimate design that were 
created by the first officer’s unnecessary and excessive rudder 
pedal inputs. Contributing to these rudder pedal inputs were 
characteristics of the Airbus A300-600 rudder system design 
and elements of the American Airlines Advanced Aircraft 
Maneuvering Program.” 

Five of the 18 specific findings of the investigation are 
relevant to the purposes of this paper. Finding 6 notes that 


“Flight 587's vertical stabilizer performed in a manner that 
was consistent with its design and certification. The vertical 
stabilizer ... was exposed to aerodynamic loads that were 
about twice the certified limit load design envelope and were 
more than the certified ultimate load design envelope.” In 
finding 12, the NTSB concludes that “The first officer's initial 
control wheel input in response to the second wake turbulence 
encounter was too aggressive, and his initial rudder pedal 
input response was unnecessary to control the airplane.” 

Finding 13 implies a deficiency in certification standards, 
noting that “Certification standards are needed to ensure that 
future airplane designs minimize the potential for aircraft- 
pilot coupling susceptibility and to better protect against high 
loads in the event of large rudder inputs.” In finding 14, the 
NTSB makes a conclusion about the specific control system 
in the accident airplane type: “Because of its high sensitivity 
(that is, light pedal forces and small pedal displacements), the 
Airbus A300-600 rudder control system is susceptible to 
potentially hazardous rudder pedal inputs at higher 
airspeeds.” The fifth of the relevant findings is finding 16, 
which concludes that “There is a widespread 
misunderstanding among pilots about the degree of structural 
protection that exists when full or abrupt flight control inputs 
are made at airspeeds below the maneuvering speed.” 

2.5 Air Midwest Flight 5481 (2003) 

Air Midwest flight 5481 was a regularly scheduled passenger 
flight from Charlotte, North Carolina, to the Greenville- 
Spartanburg International Airport in Greer, South Carolina, 
operating as part of the US Airways Express network. There 
were 2 pilots and 19 passengers aboard the Raytheon 3 1900D 
aircraft when it was cleared for takeoff about 8:46 a.m. on 
January 8, 2003 [12]. 

Shortly after take-off, with the aircraft travelling at 139 knots 
about 90 feet above ground, the CVR recorded words from 
both the captain and first officer indicating a problem. The 
FDR data showed that the pitch angle was 20° aircraft nose 
up, but that the crew was forcefully commanding aircraft nose 
down pitch. About 8 seconds later the CVR recorded a 
change in engine noise, and a second after that the beginning 
of a sound similar to the stall warning horn. The FDR 
indicated a pitch attitude of 54° aircraft nose up. The captain 
radioed the air traffic control tower declaring an emergency; 
the sound similar to the stall warning horn ceased. 

About 4 seconds later the aircraft was 1,150 feet above 
ground, with an FDR indicated maximum left roll of 127° and 
a minimum airspeed of 3 1 knots, with a pitch attitude of 42° 
aircraft nose down. A sound similar to the stall warning horn 
began again on the CVR; it continued until the end of the 
recording at 8:47:28.1. 


3 This model of aircraft is more commonly known by its 
original name: Beechcraft 1900D. Raytheon Aircraft 

Company bought Beech Aircraft Corporation in 1980. 



The airplane hit a US Airways maintenance hanger on airport 
property, and came to rest about 7600 feet past the threshold 
for runway 18R. All 21 people aboard the flight were killed; 
one US Airways mechanic on the ground received minor 
injuries from smoke inhalation. The aircraft was destroyed by 
impact forces and a post crash fire. 

The NTSB determined “that the probable cause of this 
accident was the airplane's loss of pitch control during 
takeoff. The loss of pitch control resulted from the incorrect 
rigging of the elevator control system compounded by the 
airplane's aft center of gravity, which was substantially aft of 
the certified aft limit.” The Board also identified six 
contributing factors to the accident. 

Findings 5, 6, and 10 from the Board’s report have 
implications for advanced flight control system safety cases. 
In finding 5, the Board concluded that “The accident 
airplane's elevator control system was incorrectly rigged ... 
and the incorrect rigging restricted the airplane's elevator 
travel to 7° airplane nose down, or about one-half of the 
downward travel specified by the airplane manufacturer.” 
Finding 6 noted that “The changes in the elevator control 
resulting from the incorrect rigging were not conspicuous to 
the flight crew.” Finding 10 stated: “Flight 5481 had an 
excessive aft center of gravity, which, combined with the 
reduced downward elevator travel resulting from the incorrect 
elevator rigging, rendered the airplane uncontrollable in the 
pitch axis.” 

3 Considerations for Safety Cases 

The flight control systems on the aircraft involved in the five 
accidents just described were not nearly as sophisticated or 
capable as the types of systems currently being researched. 
On first thought, one might therefore conclude that these 
accidents provide little or no insights for the design or safety 
assurance of advanced flight control systems. Flowever, there 
are significant risks if we ignore the lessons of previous 
mishaps [2]. As has been shown (see [4,6,14] for example), 
many accidents provide insights that are applicable far 
beyond the specific circumstances of the accident. 

We believe that these five accidents suggest at least three 
principles that should be considered when developing a safety 
case for an advanced control systems. The discussion below 
does not establish conclusively that these principles apply, but 
it should at least stimulate productive thought about some of 
the elements of cogent safety cases for advanced control 
systems. 

3.1 Information Available to Control System 

One principle suggested by the accidents is that among the 
foundational evidence needed to support a safety case is the 
availability to the control system of accurate and timely 
information about the status and health of relevant systems 
and components. Or, to put this principle another way, no 
advanced control system should be considered to be 


sufficiently safe for use until a cogent argument, supported by 
adequate evidence, is given that the control system will have 
accurate information about the state of the airplane and the 
environment. 

All five of the accidents provide support for this principle, 
with perhaps the strongest evidence coming from the Alaska 
Airlines flight 261 and Air Midwest flight 5481 accidents. In 
both of these cases the airplanes had equipment problems — 
thread wear for flight 261, and improper rigging for flight 
548 1 — that led to in-flight failures from which recovery was 
not possible. The pilots were unaware of these underlying 
problems, and by the time the problems manifested 
themselves in control upsets in flight, it was too late to 
recover from them. 

It seems unlikely that an advanced flight control system, even 
one employing highly adaptive control law algorithms, would 
have been able to recover from a complete failure of the 
horizontal stabilizer as occurred in flight 261. A situation 
such as that in flight 5481 seems different, however. Given 
correct information about the available elevator travel and the 
aircraft’s center of gravity, a sufficiently advanced flight 
control system might have been able to prevent the accident 
from happening. But only if it had adequate information 
about the airplane’s state. 

3.2 Information Available to Pilots 

Another principle derived from the accidents is that a safety 
case should contain an argument showing that pilots are 
provided with adequate information about the control system 
to enable them to understand the capabilities that it provides. 
American Airlines flight 587 provides strong support for this 
principle. Even though the flight control system on the 
accident airplane was not nearly as advanced as those 
currently being researched, the capabilities and limitations of 
that system (and systems like it) were not fully understood. 
Had the accident pilot had a better understanding of those 
capabilities and limitations, it seems likely that he would have 
made different control inputs in response to the wake 
turbulence encounters than he did make, and most probably 
these inputs would not have overstressed the vertical 
stabilizer to the point of fracture. 

The more advanced the flight control systems become, the 
greater the potential for misunderstanding by pilots of what 
those systems can do, and thus, the more crucial the need to 
provide the pilots with adequate information to avoid those 
misunderstandings. 

3.3 At Least As Safe As Pilots 

The third principle suggested by the five accidents is that a 
safety case for an advanced control system should contain a 
cogent and adequately supported argument that the system 
will not perform less safely than a good pilot would perform. 
The United Airlines flight 232 and USAir flight 427 accidents 
provide support for this principle. 



Flight 232 provides direct support for the principle, because 
the skills of the flight crew (including the off-duty pilot who 
assisted the crew) led directly to the survival of over 60% of 
the people on board. An advanced flight control system that 
was unable to do as well (and which prevented the flight crew 
from doing so, either) would not constitute a safety 
improvement. 

Flight 427’s support for the principle is less direct; that 
flight’s pilots were unable to recover from the rudder reversal. 
Flowever, subsequent studies developed procedures to enable 
recovery; thus equipping pilots with the knowledge necessary 
to avoid a repeat of the accident. To be considered safe, an 
advanced flight control system should be able to do at least as 
well. 

4 Concluding Remarks 

In this paper we examined five commercial aviation accidents 
involving loss of control, and derived three principles from 
these accidents that should be considered in developing safety 
arguments for future advanced flight control systems. 

Two areas for future work are clear. One area is to examine 
more loss of control accidents, looking for additional 
applicable principles. In this paper, we have focused on a 
small number of high consequence accidents; looking at the 
larger number of incidents in which flight crews were able to 
avoid or recover from loss of control may well provide 
additional useful insights. The other area for future work is to 
attempt to apply the three principles described here to assist in 
the development of a framework for safety cases for advanced 
flight control systems. Research in this area should include 
developing means to assess whether the three principles have 
been satisfied in a particular system. Both areas are worthy of 
pursuit. 
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